Tesco Bank Confirms Massive Account Fraud

Scotland-based Tesco Bank has blocked all online transactions tied to customers' current accounts after money was stolen from 20,000 of those accounts and the bank detected suspicious activity involving another 20,000 accounts, according to CEO Benny Higgins.

"Tesco Bank can confirm that, over the weekend, some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently," Higgins wrote in an alert issued in the early hours of Nov. 7 to customers of the Edinburgh-based bank.

"We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, Twitter and direct communication," he said. "We apologize for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers' accounts."

Tesco Bank, which is wholly owned by U.K. supermarket giant Tesco, said it first saw signs of fraud on the evening of Nov. 5. Some Tesco customers, taking to the bank's customer service website, have reported that their accounts were unexpectedly drained over the weekend. Others have reported difficulty in being able to connect with telephone-based Tesco call center staff.

Higgins told the BBC in a Nov. 7 interview that he was "very hopeful" that customers would receive full refunds within 24 hours.

"Any financial loss that results from this fraudulent activity will be borne by the bank," Higgins said. "Customers are not at financial risk."

As a precaution we have notified some customers that we have blocked their cards to protect their account - https://t.co/m8zjO6BKgj

Scant Details

Tesco said the fraud involved current - aka checking - accounts, which it first launched in June 2014.

Tesco has so far avoided referring to the incident as involving either a data breach or a hack attack. But security experts say that the breach likely involved a system-level compromise, although it's unclear if insiders, outsiders or both may have been involved.

"It is still unclear as to how the affected customer accounts were breached. Over 40,000 victims would be an extremely large number of victims for a phishing campaign so therefore, the breach may be within the bank's systems," says information security consultant Brian Honan, who advises the EU's law enforcement intelligence agency, Europol. "The breach is probably more likely to have come from external attackers using a weakness in the bank's online systems, or from someone within the bank, or indeed from one of the bank's vendors."

The scale of the attack appears to be unprecedented for a British bank. "I've not heard of an attack of this nature and scale on a U.K. bank where it appears that the bank's central system is the target," Alan Woodward, a University of Surrey computer science professor and cybersecurity consultant to Europol, told the BBC.

Honan, who also heads Ireland's computer emergency response team, says that the attack could have repercussions beyond just the bank's image. "The scale of the breach is worrying, and if it is released that the breach was due a vulnerability in the bank's online systems, it will lead to a lot of trust lost in Tesco Bank and indeed may impact people's confidence with the online systems of other banks."

Tesco Banks confirmed the breach in a notice on its homepage.

NCA Launches Investigation

The U.K.'s National Crime Agency says that it is leading the investigation into the incident. "We can confirm that we are coordinating the law enforcement response to the Tesco data breach," a spokesman for the NCA tells Information Security Media Group. The U.K.'s national fraud and cybercrime reporting center is also providing guidance to anyone who might have been affected.

Likewise, the U.K. Information Commissioner's Office says that it will review Tesco Bank's data security practices to ensure that it complied with the country's data protection and privacy laws. "The law requires organizations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate, and enforce if necessary," the ICO notes via Twitter.

Customers: Protected Up To £75,000

Following a five-year joint venture with NatWest, Tesco Bank was founded in 1997 by Tesco and the Royal Bank of Scotland, each of which owned half of the firm. In 2008, Tesco acquired RBS's share, making it a wholly owned subsidiary of Tesco, which is subject to the Financial Services Compensation Scheme. The scheme protects depositors, ensuring that they will be compensated for any losses suffered by authorized firms, up to £75,000 ($93,000).

Tesco Bank said that after detecting fraud over the weekend, as a "precautionary measure," it opted "to temporarily stop online transactions from current accounts." The bank has about 7.8 million customers for its various products - including credit cards and insurance products - including 140,000 customers who use its current accounts.

While customers cannot use debit cards tied to their current accounts for online transactions, they can still use them for chip-and-PIN transactions, the bank says. "All existing bill payments and direct debits will continue as normal," it adds. "We are working hard to resume normal service on current accounts as soon as possible."

Tesco Bank promised to issue new cards to affected customers within 10 days.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.